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PREFACE 

The work described in this report was performed by the Propulsion 
Division of the Jet Propulsion Laboratory. 
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ABSTRACT 


A preliminary failure mode, failure effect, and criticality ana- 
lysis (FMECA) of the major subsystems of nuclear electric propulsion (NEP) 
is presented. Simplified reliability block diagrams (RBDs) are also given. 

A computer program, developed at JPL, was used to calculate the reliability 
of the heat rejection subsystem. 
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I. SYSTEM RELIABILITY ANALYSIS 


The reliability of a system is the probability that it can successfully 
fulfill its intended mission in a given time when operated under specified 
conditions. The objective of reliability analysis is to help make this proba- 
bility of success as large as possible, within the limitations imposed by 
weight and cost. Two opposite approaches (forward and backward) to relia- 
bility analysis may be applied. In the forward approach, an overall system 
reliability goal is established. Subsystem and component reliabilities are 
allocated accordingly and expanded into a reliability tree. The salient fea- 
ture of this forward approach is that engineering design must meet stringent 
reliability requirements, which, of course, implies stringent requirements 
on specifications, materials, and the quality of engineering technology. 

Since all reasonable programs are cost-constrained, however, it is often 
unrealistic to insist on achieving a reliability objective set for a particular 
component or subsystem. 

In the backward approach, the reliability of each component is esti- 
mated based on available performance data and engineering judgment. This 
gives a realistic estimation of the reliability which can be achieved for a 
certain component. Unacceptably low reliability components are identified, 
and efforts to improve these components can then be implemented. In case 
of insufficient data to estimate component reliability, an acceptable relia- 
bility can be specified. Then that component is designed and developed to 
the specified reliability. 

Reliability analysis contributes significantly to system reliability 
through the process of identifying sources and causes of unreliability and 
subsequent design modifications. Reliability analysis should begin right 
after the proposed design starts. Some problems can be eliminated before 
they arise, and some can even be solved at an early stage when design 
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modification can be made without causing large increases in cost. Negligence 
of the importance of early reliability analysis will probably cause extraordi- 
nary, high cost efforts later. 

A simplified block diagram of reliability analysis during the design 
phase is shown in Fig. 1. 

As soon as the proposed design is conceived, the reliability engineer 
should start reliability analysis. He can study the failure modes and effects 
of each component, analyze the criticality of each failure mode, and then 
make overall reliability computations. The information required by the 
reliability engineer must come either from test results of the designed com- 
ponent or a similar component used on previous missions. 

Failure mode and effect analysis is the procedure for considering, 
qualitatively, different failure modes during operation of components and 
the effects these failure modes have on other components, subsystems, or 
system operation and, hence, on mission success. At this stage, modes of 
failure of lower-level elements are identified and their effects on the com- 
ponents noted. The likelihood of component failure and the mode of failure 
are inputs to the reliability prediction logic model. Experience with the 
components during developmental testing, or experience with similar com- 
ponents in other applications, provides the basis for evaluating the likelihood 
of failure in various modes of operation. Great care must be exercised to 
be sure that all possible failure modes and effects are identified and described. 
Some failure modes result from simultaneous failure of more than one com- 
ponent and must also be included in the analysis. 

Criticality analysis is a quantitative procedure of identifying the cata- 
strophic failure mode and estimating the degree of severity by considering 
failure data, failure mode frequency ratio, and environmental stress factors. 

A number, preferably in failures per million hours, is thus obtained for the 
critical part or component from which the system reliability is calculated. 

Reliability computations of the system can be made from knowledge of 
the behavior of the components. The computed reliability of the system may 
suggest that either a redesign or a more refined and updated analysis tech- 
nique is required. Another technique would be to increase reliability of a 
part or component by truncating material strength distribution or application 
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stress distribution or both through proof load and material test. The 
truncation eliminates some potential failures and hence increases the relia- 
bility (Ref. 1). Physical constraints, costs, schedules, and parametric 
trade studies become important considerations in this process. If the relia- 
bility requirement for a system greatly exceeds the. predicted value, an 
entirely different design concept, functional approach, or redundancy scheme 
may then be examined. In selection among alternatives to achieve a given 
level of reliability, the cost must be kept at a minimum. Examination of 
different schemes should be repeated until there is no great difference 
between predicted and required reliability and the cost is minimum. 

One important aspect of reliability analysis during the design phase is 
that the reliability analysis should serve as a tool of parameter study for 
component/subsystem tradeoffs. Regarding thermionic converter networks, 
for example, reliability is one of the most important parameters to be con- 
sidered in selecting s eries -parallel connections. 

Emphasis here is placed on failure modes and effects analysis.' For 
each of the major subsystems of nuclear electric propulsion (NEP), a failure 
mode and effect and criticality analysis (FMECA) and greatly simplified 
reliability block diagrams (RBDs) are given. Detailed and sophisticated 
FMECA and RBD are impossible at this stage. 

To estimate NEP system reliability, arbitrary reliability figures for 
NEP subsystems were assigned, and system reliability was computed as 
shown in Table 1. The overall reliabilities obtained seem low. It is clear 
from Fig. 2 that any system with more than a few components in series has 
a low reliability unles s each of the series component reliabilities is in the 
range of 0.995 or greater. 

II. PRELIMINARY FAILURE MODE, FAILURE EFFECT, AND 
CRITICALITY ANALYSIS AND RELIABILITY BLOCK 
DIAGRAMS OF NEP SYSTEM 

A preliminary failure mode, failure effect, and criticality analysis 
(FMECA) is given in this section. A reliability block diagram (RBD) for 
each of the subsystems is also included. A quantitative criticality analysis 
should be implemented whenever sufficient failure data, failure mode fre- 
quency ratio, and environmental stress factors are available. 
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Table 1. Arbitrary reliability allocation of NEP system 
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A. System Definition 


The reference NEP system/spacecraft is of side-thrust configuration 
and is shown in Fig. 3. The NEP system consists mainly of a thrust sub- 
system and a power subsystem. The power subsystem consists mainly of a 
120-kWe, 20, 000 equivalent full power hours (EFPH) thermionic reactor, a 
heat- re jection subsystem, and a nuclear shield. The thrust subsystem con- 
sists mainly of 18 30-cm ion thrusters and 36 power conditioning units. 

(The number of components and other data given here are for reference 
purposes and do not imply a final design.) 

B . Classification of Criticality 

At this stage, only qualitative criticality analysis is possible. The 
criticality of a component is classified according to the following criteria; 

Class I; Catastrophic failure of the NEP system occurs in a relatively 
short time. If this critical failure mode of a component 
takes place, the mission is impossible to accomplish. 

Class II: Performance characteristics of the subsystem and/or system 

may be changed. If sufficient redundancy is available or 
degradation of performance is not significant, the mission 
can still be completely successful. If performance degrada- 
tion is within certain limits, the mission may be achieved 
partially. 

Class III: Effect on system and/or the mission is small and negligible; 
performance may degrade but not below design value. 


C. Reactor Subsystem 

The reactor subsystem is composed of a thermionic reactor and its 
auxiliary control elements, a LiH neutron shield, and miscellaneous struc- 
tures. The reactor consists of 162 thermionic fuel elements (TFEs), 
arranged in six full hexagonal rings with six additional TFEs per side in the 


JPL Technical Memorandum 33-629 


5 



seventh ring and 18 radial reflectors which are movable in pairs by nine 
stepping motors. Each TFE consists of six series -connected flashlight 
converters sharing a common cesium reservoir and an electrical heater. 

The emitter is of tungsten and operates at about 1900 K. The collector is 
of niobium and operates at about 1100 K. The converter efficiency is about 
11% . The coolant, NaK, enters the core at 975 K and leaves the core at 
1075 K, carrying the waste heat to the heat rejection subsystem. Neutron 
detectors and ion charnbers are used to measure the neutron flux and the 
power level and feed signals to the automatic control mechanism. The reac- 
tivity is controlled by the rotation of the radial reflector drums, which are 
made of BeO. Each pair of the reflectors is to be driven by one motor. 

The design maximum thermal power plant output is 1840 kWe. A single TFE 
is expected to produce 800-1000 kWe at 5.5-6 V. The total reactor lifetime 
is expected to be more than 50, 000 h. 

Table 2 presents the preliminary FMECA of the reactor subsystem; 
Fig. 4 shows its RBD. Note in Fig. 4 that some blocks should be expanded 
into more detail whenever the detailed design is consolidated. 

D. Thrust Subsystem 

The thrust subsystem is composed of 18 30-cm-diameter mercury 
electron bombardment ion thrusters, 36 power conditioning units (PCU) to 
convert the power output from the thermionic reactor into suitable power 
for the thrusters, eight gimbal actuators, and two translator actuators with 
carriage and translator rods, one thruster array structure (TAS) for mount- 
ing the ion thrusters, two propellant (Hg) storage tanks which also serve a 
major role as gamma radiation shielding, and the auxiliary propellant-feed 
system components. Some of the thrusters are provided as active standby 
such that partial failure is allowed to occur without loss of the thrust or 
thrust vector control capability. 

The FMECA of the thrust subsystem is given in Table 3; the RBD is 
shown in Fig. 5. Again, some blocks should be expanded when detailed 
design is available. 

E. Heat Rejection Subsystem 

The heat rejection subsystem is a large and important part of the 
propulsion system which justifies a separate FMECA. First, any 
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Table 2. FMECA of reactor subsystem 


Component 

Function 

r — • — 

Failure modes 

Failure effects 

Criticality 

Reactor vessel 

Integrating framework of the 
entire thermionic reactor 

(a) Weld failure. 

(b) Corrosion or deterioration of 
vessel material. 

(c) Seal failure at TFE penetra- 
tions in vessel head. 

(a) Loss of coolant in the core 
leading to melting down of the 
reactor or shutdown of the power 
plant. 

(b) Same effect as (a) or no 
effect at all if corrosion within 
tolerance. 

(c) Same as (a). 

(a) Class I. 

(b) Class III. 

(c) Class I. 

The rmionic 
fuel element 
(TFE) 

Electrical power source for the 
entire system; confinement of 
fission prodvicts and vent path 
for fis s ion gas . 

(a) Fuel swelling. 

(b) Emilter/collector insulator 
breakdown. 

(c) Sheath or cladding mecha- 
nical failure. 

(d) Open circuit of internal 
series connections. 

(a) Spacing between emitter and 
collector distorted: entitter, 
collector and local coolant tem- 
perature may rise, but within 
tolerance. 

(b) Conv’erter short circuit, loss 
of partial power of a TFE. 

(cl Local coolant temperature 
rising, deteriorating the cell. 

(d) Loss of i/2 power of one 
TFE. 

(a) Class III. 

(b) Class II. 

(c) Class il. 

(d) Class II. 

Radial 
reflector 
d rum and 
cont rol 
mechanism 

Lockout of the reflectors, 
keeping the reactor subcritical 
dvtring launching; moving the 
reflector drums to change the 
neutron leakage rate and to 
control the reactivity of the 
reactor. 

(a) Spiral spring or locking 
device failure. 

(b) Electrical wiring faihtre in 
the stepper motor. 

(c) Bearing failure. 

(d) Shaft fract«ire. 

(a) Unsafe for launching; spiral 
spring failure after launch 
affecting the control of the 
reactor. 

(b) The reflector scramming 
outward away from the core 
during the startup phase; loss 
of reactivity control after 
startup . 

(c) Degradation of perforntancc 
of reflector control, 

(d) Loss of control on one pair 
of reflecto rs , 

fa) Class 1, or 11. 

(b) Class I or 11. 

(c) , (d) Class a. 

Note: Severe environ- 
ntents - high tempera- 
ture and high radiation. 

Neutron 
detector, ion 
chambe r and 
other instru- 
ments 

Feeding necessary signals to 
control mechanism for starting 
up and controlling of reactor 
power level. 

Electrical n^alfunction or 
damage. 

Loss of power lev el control. 

Class II or L 

Cesium reser- 
voir and heater, 
cesium passage 

Maintaining optimal operating 
condition for converter. 

(a) Meteoroid puncture of the 
ce.siunt reservoir. 

(b) Heater breakdown. 

(c) Blockage or leakage of cesium 
path. 

(a) Loss of cesium and (b). 

(b) Degradation of performance 
of converter. 

(c) Same as (a) and (b). 

(a) (b) (c) Class II. 

Fis s ion gas 
vent and stor- 
age chamber 

Venting of the fission gas in the 
fuel element to alleviate fuel 
swelling; confinement of fission 
gas in the storage chamber 

fa) Blockage of fission gas path, 
(b) Meteoroid puncture damage 
on fission gas storage chamber 
or other kind of leakage. 

(a) Excessive fuel swelling, 
degrading performance of 
conve rle r . 

(b) On-board radiation 
environntent worsening. 

fa) (b) Class H. 

Low-voltage 

cable 

Connecting fuel element electri- 
cal outputs to power processors 




Auxiliary 
powe r 
cond it ione r 

Skipplying necessary electrical 
power to power subsystem such 
as reactor control, cesium 
heater, etc . 

(a) Transformer over-heat. 

(b) Wire failure. 

(a) .Auxiliary power conditioner 
performance. 

(b) Performance deg radation,r eac - 
tor control: power plant shutdown. 

fa) Class II. 

(b) Class II or I. 

LiH shield 

Reducing the integrated neutron 
flux to an acceptable level to 
the science instrument. 

(a) Excessive neutron- and 
ganima-indiiced heating. 

(b) Crack or void in the shield. 

(c) Meteoroid puncture. 

(a) Thermal stress. 

(b) Increasing hydrogen evolution 
neutron flux at payload, 

(c) Mission failvire. 

(a) Class III. 

(b) Class II. 

(c) Class I. 

Batteries 

Supplying the startup power for 
the reactor, 

1 

Open or short circuit. 
1 

Prevent startup of the power 
plant. 

Class I. 
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system (b) Maintain spacecraft CG. or others on the feed line, (c) CG being changed. TVC capability), 

(c) Neutron and gamma shielding, (c) Unbalance use of mercury. 











los s -of-coolant incident in the reactor core would lead to complete mission 
failure. Second, severe degradation of a single cell of any TFE due to 
improper cooling may propagate to other cells and possibly lead to a com- 
plete shutdown of the thermionic reactor power plant in a relatively short 
time. 

This subsystem consists of approximately 2500 heat pipes, including 
necessary redundancy, which are brazed to three NaK coolant headers, an 
EM pump with dual windings which circulates the NaK coolant, and two ac- 
cumulators, which compensate for the volumetric change of the coolant due 
to temperature variations. Each accumulator consists of a gas -pressurized 
bellow and a concentric passive cylindrical tank which serves as secondary 
containment such that if any mechanical failure of the bellow occurs, loss 
of coolant would be prevented by the tank. 

The heat rejection subsystem FMECA and RED are shown in Table 4 
and Fig. 6, respectively. 

III. RELIABILITY MODELING AND COMPUTER PROGRAM 
A. Reliability Modeling 

Some basic reliability models (Refs. 3-7) are presented as follows; 

■ (a) n series configuration with constant failure rate (independent 

components). The reliability of this configuration is 


n 



i=l 


(b) n parallel configuration' with constant failure rate (no switch- 
ing or perfect switching). The reliability of this configuration is 


n 

R = ^ ■ n 

i=l 
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(c) Two identical units (one standby) with a failure rate while 
operating and while in dormant state 


R = e + 7 - 
^d 


"V 

e - e 


(d) n identical and independent units, allowing m unit failure without 
causing serious degradation 


R 



-kt 

(1 - e 



n- i 


Example of application area; heat pipes in heat rejection 
subsystem. 

(e) n-1 standby units which cannot fail until operated and with a 

switching failure rate 



In formulas (a) through (e) it is assumed that the causes of fail- 
ure are all external to the element and unrelated to previous use. 
However, if the failure rate should be changing with time, a 
more flexible distribution, such as a generalized Weibull distri- 
bution (Ref. 8), is required. 

(f) A configuration with W series of N parallel units supported by 
M spares in dormancy. 


R 


(NW\)^ f 
~ (M-1)'. I 

‘>'0 


M-1 -NW\y [ „ J W . , 

e ^ Rj^(t - y) dy + 1 


(NWX.)^ 

(M-l)l 



t 

M-1 

,y 


-NW\y , 
e ^ dy 


JPE, Technical Memorandum 33-629 



in which y is the time, assuming a gamma distribution, at which 
the last spare unit has been consumed and RN is the reliability 
of the N parallel units . 

Example of application area of formula (e) and (f): thrusters in 
the thrust subsystem. 

(g) Simulation (Monte Carlo method): an analogous stochastic proc- 
ess to simulate the random failure and wearout failure of a 
complex system. Example of application area: converter net- 

work in the reactor subsystem. 

B, Reliability Computer Program 

Reliability calculation can be handled by analytical probability theory 
if the system configuration is not complex in the sense of a reliability block 
diagram. For calculation of the reliability of a system consisting of a 
complex combination of dormant and/or active redundancy with imperfect 
switch function, a computer program has been developed at JPL (Ref. 9). 
Two computer subroutines are also established to calculate the survival 
probability of heat pipes and other piping due to meteoroid puncture and the 
probability of expected number of survivors from "n” identical active redun- 
dant elements, respectively. 

A reliability block diagram computation program was developed by 
Chelson and Eckstein at JPL. It is useful in handling active/standby com- 
binations of redundancies, including the effects of imperfect switching in any 
standby redundancy. As an exemplified application of the program, assume 
we want to know the reliability of a heat rejection subsystem for a 20, 000-h 
operation, given the failure rates of each component. The reliability of a 
NEP heat rejection subsystem for a 20, 000-h mission is estimated by apply- 
ing the computer programs. The heat rejection subsystem reliability block 
diagram is shown in Fig. 6. 

The X's are the element failure rate as the number of failures occur- 
ring in one million hours. Block 1 represents the heat pipes of the radiator; 
2341 out of 2496 heat pipes must be operating at end of mission (about 6. 3% 
redundancy). The failure rates and are calculated based on heat pipe 
and header meteoroid puncture probability. Blocks 2 and 3 represent two 
active redundant EM pumps. Blocks 4 through 7 represent two s eries - of-two 
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active redundant accumulators (the heat rejection subsystem fails if both 
in-parallel accumulators fail). Blocks 8 through 13 represent the three 
headers of the radiator. It is assumed that in one out of three headers NaK 
coolant flow is allowed to be blocked (flow stoppage but no leaks) without 
causing mission failure. Block 14 is incorporated separately for the three 
headers in the reliability block diagram, considering the catastrophic failure 
mode due to meteoroid puncture. Block 15 represents all the other piping 
of the subsystem. Failure rates X, through X, , and X,_ are estimated 
(Ref. 10). Equal failure rates are assumed for identical components. Based 
on the above, the reliability of the heat rejection subsystem is calculated to 
be 0. 99577 for 20,000 h. Table 5 presents part of the computer output; it 
shows the calculated reliability for each block (which represents the critical 
function of a component) and the overall subsystem reliability. 

IV. APPROACH TO NEP SYSTEM RELIABILITY COMPUTATION 

A, Definition of Success of Mission 

System reliability computation demands a clear-cut definition of sys- 
tem success. Without this guideline, it is difficult to evaluate the unrelia- 
bility of subsystems and components. For example, suppose the LiH 
shielding cracked because of overheating during the mission propulsion 
phase and allowed higher doses at the science equipment. However, suffi- 
cient scientific data was received from the spacecraft to satisfy the mission 
objectives. Then we can say that the shielding reliability is 1, because the 
crack did not affect the return of mission data and thus the mission was 
successful. 

B . Mean-Time to Failure 

Mean-time to failure (MTTF) for each component is required for com- 
putation of reliability of a nonmaintainable system such as NEP. Several 
failure-rate data sources will provide some of the needed information. In 
addition, a plan for testing will be required for some elements of subsystems, 
such as heat pipes, TFE, etc. Tests should be designed to give the best 
estimate of the reliability of elements. Environmental conditions for all 
the elements should be specified and used in estimating MTTF for the 
mission. 


JPL Technical Memorandum 33-629 


13 



Table 5. Reliability of the heat rejection subsystem 




Active F/R 

Dormant F/R 

R-lnitial Reliability 

Block 

1 

. 5000000-10 

. 0000000 

. 9999990+000 

Block 

2 

. 3000000-06 

. 0000000 

. 9940180+000 

Block 

3 

. 3000000-06 

. 0000000 

. 9940180+000 

Block 

4 

. 4000000-07 

. 0000000 

. 9992003+000 

Block 

5 

. 4000000-07 

. 0000000 

. 9992003+000 

Block 

6 

. 4000000-07 

. 0000000 

. 9992003+000 

Block 

7 

. 4000000-07 

. 0000000 

. 9992003+000 

Block 

8 

. 2100000-06 

. 0000000 

. 9958088+000 

Block 

9 

. 2100000-06 

. 0000000 

. 9958088+000 

Block 

10 

. 2100000-06 

. 0000000 

. 9958088+000 

Block 

11 

. 2100000-06 

. 0000000 

. 9958088+000 

Block 

12 

. 2100000-06 

. 0000000 

. 9958088+000 

Block 

13 

. 2100000-06 

. 0000000 

. 9958088+000 

Block 

14 

. 5500000-10 

, 0000000 

. 9999989+000 

Block 

15 

. 2100000-06 

. 0000000 

. 9958088+000 


Reliability of the heat rejection subsystem through 20000. hours = . 99577 


C . Variance Analysis and Reliability Engineer 

If both distributions of the material strength and the stress under var- 
ious environmental conditions that a component will experience through an 
entire mission are known, the probability of failure of that component can be 
calculated. Assume the performance of that component is Y, which relates to 
n variables such as temperature, pressure, etc. We can then express 

the performance of a component as a function of these variables: 

Y = f (X^, X^, X^) 

2 

and the variance (r as 
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where <r ■ is the variance associated with x., and p.. is the degree of depen- 
1 11 ]®^ 

dence between variables and x^ (Ref. 11). If the variables are statistically 
independent, then = 0. 

Through the variance analysis, the variance which contributes most to 
the unreliability of that component can be determined. Efforts can then be 
concentrated on work to reduce that particular variance and hence increase 
the reliability. 


In order to have an efficient and realistic estimate of reliability during 
the design and development phase, the reliability engineer should be involved 
in design and development testing, and should be informed of any system 
modifications or change. Through this involvement, he will have an under- 
standing of each component failure mode, its effects and criticality, and a 
best estimate of NEP system reliability for the entire mission. 
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Fig. 1. Reliability analysis block diagram 
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Fig. 2. Reliability of a system as a function of varying numbers of 
components (from Ref. 11) 
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Fig. 3. NEP system/spacecraft, side thrust concept 
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Fig. 4. Reliability block diagram of reactor subsystem 






































Fig. 5. Reliability block diagram of thrust subsystem 



































